Advogato blog for pipemanhttp://www.advogato.org/person/pipeman/
Advogato blog for pipemanen-usmod_virguleFri, 9 Dec 2016 13:41:45 GMTWed, 13 Aug 2014 14:03:00 GMT13 Aug 2014http://www.advogato.org/person/pipeman/diary.html?start=51
http://www.advogato.org/person/pipeman/diary.html?start=51<b>Configuring smart card login on OS X 10.9</b><br/>
<br/>
Earlier I documented <a href="http://www.advogato.org/person/pipeman/diary/50.html" >how to use a Finnish government issued ID card (FINeID) for SSH authentication</a>. As my vacation ended and I had to dig the smart card reader out to SSH to a machine, I remembered that I never quite figured out how to get login authentication to work with the same card. It took a bit of detective work but it turns out the basic steps are not that complicated. I will only cover the most basic set-up, where you pair one specific smart card with a local account on your computer using the card's public key. It's possible to have more sophisticated setup for larger organisations.<br/>
<br/>
First, check my <a href="http://www.advogato.org/person/pipeman/diary/50.html" >previous post</a> and follow the instructions for how to set up OpenSC and verify using <code>pkcs15-tool -k</code> that your card reader and card is working properly.<br/>
<br/>
Then, in case you have Apple ID's associated with your user account, you need to work around a bug in authorizationhost: in System Preferences, go to Users & Groups and select the user you're setting up for smart cart login. <b>Remove all associated Apple ID accounts</b> by clicking on the "Change…" button next to "Apple ID:" and deleting any entries from the list (if any). <b>Failure to do so may make it impossible to unlock the screen and unlock System Preferences panes.</b> You can also manually do this with Directory Utility by removing all entries except the one containing the username from the user's RecordName property in the Users directory.<br/>
<br/>
<br/>
Once that is done, run the following to enable smart card support for logins:<br/>
<br/>
<code>sudo security authorizationdb smartcard enable</code><br/>
<br/>
Make sure the card is inserted, and list the public key hashes using the OS X built-in command <code>sc_auth</code>:<br/>
<code>sc_auth hash</code><br/>
<br/>
It should output a list similar to this, but with slightly more random hashes:<br/>
<code><br/>
01DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF todentamis- ja salausavain<br/>
02DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF allekirjoitusavain<br/>
03DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.systemdefault<br/>
04DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.kerberos.kdc<br/>
05DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.systemdefault<br/>
06DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF com.apple.kerberos.kdc<br/>
07DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF Imported Private Key<br/>
</code><br/>
<br/>
Again, it's the <i>todentamis- ja salausavain</i> we're interested in. Now use <code>sc_auth</code> to associate that public key with a user account:<br/>
<code><br/>
sudo sc_auth accept -u USERNAME -h 01DEADBEEF00DEADBEEF00DEADBEEF00DEADBEEF<br/>
</code><br/>
<br/>
This should be it - when the smart cart is initialised, the corresponding user will automatically be selected in the login screen, and instead of prompting for a password it will prompt you for the card's PIN. Note that typically the card PIN defaults to a 4-digit number but it can be changed to (in the case of a FINeID card) any 4-8 character alphanumeric string using e.g. <code>pkcs15-tool --change-pin</code>. For other cards you can inspect the PIN code constraints using <code>pkcs15-tool --list-pins</code>.<br/>
<br/>
When logging in using a smart card rather than a password, OS X will not be able to unlock your login keychain, as it by default is encrypted using your login password. You can choose to either manually unlock the keychain or change the keychain to use your smart card for unlocking rather than a password. <strike>If you do that, it means that your keychain is effectively encrypted with your smart card, so if you lose your smart card, you will lose access to your login keychain.</strike> It seems that Keychain migration uses your smartcard PIN as your new keychain password, so beware that you may actually lower the keychain encryption key entropy if your smartcard PIN is simpler than your regular password.<br/>
<br/>
If you have FileVault full disk encryption enabled (and you should) OS X will automatically log you in using the password supplied at the FileVault login screen. If you have followed the instructions above, your account will still have a valid password (it's possible to disable password login entirely by deleting the "ShadowHash" entry in the AuthenticationAuthority record of your user account using Directory Utility - note that this will also effectively disable sudo for that user) and you will be automatically logged in, but the system will not be able to unlock your keychain with that password. To prevent automatic login with FileVault, you can run:<br/>
<br/>
<code><br/>
sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES<br/>
</code><br/>
<br/>
More information in <a href="http://support.apple.com/kb/HT5989" >HT5989</a>.<br/>
<br/>
If you know French, this blog post contains <a href="http://blog.inig-services.com/archives/1448" >some more details on configuring smart card authentication on Mavericks</a>.Wed, 2 Jul 2014 18:35:48 GMT2 Jul 2014http://www.advogato.org/person/pipeman/diary.html?start=50
http://www.advogato.org/person/pipeman/diary.html?start=50<p><b>SSH authentication using the Finnish electronic ID card (FINEID) on OS X</b></p><p>The government of Finland provides smart card-enabled ID cards to all residents under the <a href="http://www.fineid.fi" >FINeID</a> program run by the Population Register Centre (Väestörekisterikeskus). The chip provided is, according to <a href="http://www.fineid.fi/default.aspx?id=0&docid=3632&action=Publish" >the spec</a>, based on ISO/IEC 7816-15 (also known as PKCS#15), 7816-4 and 7816-8. The open source project <a href="https://github.com/OpenSC/OpenSC/wiki" >OpenSC</a> makes it possible to interact with PKCS#15 cards on a variety of operating systems, including OS X, Linux and Windows.</p><p>When I renewed my ID card I became interested in the possibilities provided by this, so I ordered a <a href="http://www.chipdrive.de/index.php/en/scr3500-faltbarer-usb-chipkartenleser.htm" >card reader</a> known to work with Mac and installed <a href="https://www.opensc-project.org/files/macosx/" >version 0.13</a>. The latest version is 0.14.0 but there are no pre-compiled binaries for OS X, and my own attempts at building it <a href="https://gist.github.com/pajp/9a5ef091825431de254d" >failed quite early</a>.</p><p>After installing OpenSC, you'll see something similar to the following message in the system log when inserting the card reader and the card:<br/>
<code><br/>
2014-07-02 20:11:38,774 com.apple.SecurityServer[17]: reader SCR35xx Smart Card Reader 00 00 inserted token "HENKILOKORTTI" (088f5dfb29f6672f9435db333fc0539bc64f2769) subservice 2 using driver com.apple.tokend.opensc<br/>
</code><br/>
You can then use the <code>pkcs15-tool</code> command to list available private keys stored on the card:<br/>
<code><br/>
$ pkcs15-tool -k<br/>
Using reader with a card: SCR35xx Smart Card Reader 00 00<br/>
Private RSA Key [todentamis- ja salausavain]<br/>
Object Flags : [0x1], private<br/>
Usage : [0x26], decrypt, sign, unwrap<br/>
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local<br/>
Access Rules : execute:01;<br/>
ModLength : 2048<br/>
Key ref : 0 (0x0)<br/>
Native : yes<br/>
Path : 3f004b01<br/>
Auth ID : 01<br/>
ID : 45<br/>
<br/>
Private RSA Key [allekirjoitusavain]<br/>
Object Flags : [0x1], private<br/>
Usage : [0x200], nonRepudiation<br/>
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local<br/>
Access Rules : execute:02;<br/>
ModLength : 2048<br/>
Key ref : 0 (0x0)<br/>
Native : yes<br/>
Path : 3f0050164b02<br/>
Auth ID : 02<br/>
ID : 46<br/>
</code><br/>
Your FINeID card provides you with two certificates and corresponding keys; one for signing and one for authentication and encryption. However, for the purpose of SSH authentication the certificates (and their stated purpose) don't matter; we just care about the corresponding RSA public and private keys, so we can pick either one. You need to know which one you're using because they're protected with different PIN codes, provided to you by mail. Above, we can see that the first key, labelled <i>todentamis- ja salausavain</i> has ID 45 on the card - let's pick that. It happens to be the authentication/encryption key and is protected with PIN1. We then simply need to retrieve its corresponding public key in a format suitable for an OpenSSH <code>authorized_keys</code> file. Luckily <code>pkcs15-tool</code> provides exactly that - just tell it you want the key with ID 45 and pipe it to <code>pbcopy</code> to place it into your pasteboard.<br/>
<code><br/>
$ pkcs15-tool --read-ssh-key 45|pbcopy<br/>
Using reader with a card: SCR35xx Smart Card Reader 00 00</code></code><br/>
<br/>
Open <code>~/.ssh/authorized_keys</code> on the target computer and paste the contents of your pasteboard into its own line.<br><br/>
Next you need to tell your SSH client to defer authentication to your smart card. This is done by using the -I option to ssh to specify the OpenSC PKCS#11 library, like this:<br/>
<code><br/>
$ ssh -I /usr/lib/opensc-pkcs11.so karin.local<br/>
Enter PIN for 'HENKILOKORTTI (perustunnusluku)': <br/>
Last login: Wed Jul 2 21:06:33 2014 from otter.local<br/>
karin:~ rasmus$ <br/>
</code><br/>
You will be prompted for your PIN - enter PIN1 here provided that you picked the "todentamis- ja salausavain" key earlier and you will be logged in. To have ssh always query your ID card, add the following to <code>~/.ssh/config</code> (add a "Host" section above to apply it to one or more specific remote hosts):<br/>
<code><br/>
PKCS11Provider /usr/lib/opensc-pkcs11.so<br/>
</code></p><p>That's it! You can now use your Finnish ID card as a hardware authentication token for your SSH logins.</p> <p><b>Update:</b> you can apparently also do this <a href="http://www.gooze.eu/howto/using-openssh-with-smartcards/using-ssh-authentication-agent-ssh-add-with-smartcards" >using <code>ssh-agent</code></a>. <strike>I haven't tried this yet myself but will update the blog post once I have.</strike> Following those instructions seem to put launchd in a very bad state on OS X 10.9.4. I'll investigate a bit more but until then I recommend against trying ssh-agent with the OpenSC PKCS#11 support.</p>Thu, 30 Aug 2012 12:51:47 GMT30 Aug 2012http://www.advogato.org/person/pipeman/diary.html?start=49
http://www.advogato.org/person/pipeman/diary.html?start=49<b>Disabling Java in Safari for all users on a Mac</b><br/>
<br/>
There are a lot of instructions on how to disable Java applets in different web browsers. However, none of the instructions I've seen have tackled my situation: in my home we each have one account, and even though I administer the computer I don't know the password of the other accounts hence I can't login as all the other users and manually uncheck the "Enable Java" check box in the Safari security preferences. Because of that I was looking for a way to do it automatically for all users, and this is what I came up with:<br/>
<br/>
<hr><code><br/>
# become root<br/>
sudo -s<br/>
<br/>
# exit all instances of Safari<br/>
killall Safari<br/>
<br/>
# wait for Safari to exit<br/>
while ps axc|grep -q Safari ; do echo "waiting..." ; done<br/>
<br/>
# for all users that have a Safari prefs file, set the appropriate keys to "false"<br/>
# paste the following all in one go<br/>
dscl . -list /Users home | while read username homedir ; do \<br/>
file="${homedir}/Library/Preferences/com.apple.Safari" ; \<br/>
if [ -f "${file}.plist" ] ; then echo "Disabling Safari's Java for user $username" ; \<br/>
for prop in com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled WebKitJavaEnabled ; do \<br/>
defaults write "$file" $prop false ; chown $username "${file}.plist" ; \<br/>
done; \<br/>
fi ; \<br/>
done<br/>
</code><hr><br/>
<br/>
That's it!<br/>
<br/>
Caveats:<br/>
<ul><li>This will only change Safari's preferences (we use Safari at home, with Firefox reserved for sites that require Java or Flash)<br/>
<li>This will only change Safari's preferences if the user has launched Safari at least once<br/>
<li>While I have tested this in Mountain Lion (10.8.1) and Lion (10.7.4), I can't make any guarantees as to whether it'll work in your particular environment. Worst case it may reset your Safari preferences to default. Always have backups. :-)<br/>
</ul><br/>
If you want to disable <i>all</i> plug-ins as well as Java, something I recommend, run this instead for the last step:<br/>
<hr><code><br/>
dscl . -list /Users home | while read username homedir ; do \<br/>
file="${homedir}/Library/Preferences/com.apple.Safari" ; \<br/>
if [ -f "${file}.plist" ] ; then echo "Disabling Safari's Java and all plug-ins for user $username" ; \<br/>
for prop in com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled WebKitJavaEnabled \<br/>
WebKitPluginsEnabled com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled ; do \<br/>
defaults write "$file" $prop false ; chown $username "${file}.plist" ; \<br/>
done; \<br/>
fi ; \<br/>
done<br/>
</code><hr><br/>
<br/>
Mon, 21 Feb 2011 20:35:48 GMT21 Feb 2011http://www.advogato.org/person/pipeman/diary.html?start=48
http://www.advogato.org/person/pipeman/diary.html?start=48Top shell commands in my home computer as of today:
<pre>
$ history|awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}'|sort -rn|head
88 git
76 cd
74 ls
34 sudo
21 ssh
18 du
14 cat
13 ps
13 mdfind
12 open
</pre>Mon, 28 Sep 2009 01:39:14 GMT28 Sep 2009http://www.advogato.org/person/pipeman/diary.html?start=47
http://www.advogato.org/person/pipeman/diary.html?start=47<b>Retesting</b>
<p> <a href="http://www.advogato.org/person/pipeman/diary/5.html" >Almost five
years ago</a> I took this test, and it classified me as Amiga OS - now I took
the same test again and came up as OS X. It would be interesting to see what
has changed in more detail; I couldn't figure out any questions that I definitely
would have answered differently five years ago.
<p> <a href="http://bbspot.com/News/2003/01/os_quiz.php" ><img src="http://www.bbspot.com/Images/News_Features/2003/01/os_quiz/os_x.jp
g" width="300" height="90" border="0" alt="You are OS X. You tend to be fashionable and clever despite
being a bit transparent. Now that you've reached some stability you're
expecting greater popularity."><br>Which OS are You?</a>
<p> What has changed in the last five years, however, is that run OS X on most of my computers. Back then, I had Windows
2000 on my desktop computer (with coLinux for development), and Windows XP (I think) on my laptop. I do have a W2K
VM on my home Mac (mostly used for <a href="http://www.facebook.com/notes.php?id=797442585" >getting
dissapointed at SF Anytime</a>, a local video-on-demand service that requires Windows (and lately, newer Windows
than Windows 2000)), and at work I keep a spare hard disk that I plug in when I need to do things that requires Windows
(some of the bureaucracy tools require IE, among other this), but about 80% if my time is spent in OS X and 19% in Linux
(although it depends on how you count; I'm pretty much always logged-in to my home Linux server (a small fanless VIA
x86 with a flash disk), for example, and similarly always using a handful of Linux servers at work where, among other
things, <a href="http://www.youtube.com/watch?v=dHaQrYcRC4I" >our testing infrastructure</a> is largely Linux-
based, even the parts that runs automated tests on Mac OS X (which in itself is an interesting topic for another talk or blog
post).Mon, 14 Apr 2008 17:00:44 GMT14 Apr 2008http://www.advogato.org/person/pipeman/diary.html?start=46
http://www.advogato.org/person/pipeman/diary.html?start=46<b>In a Dream</b>
<p> Reading about <a href="http://jautero.livejournal.com/136884.html" >Juha's
dream</a> reminded me of my own from a couple of nights back.
<p> In the beginning it was a bit like a bad re-make of BSG. We were heading for
a destination of unknown location, on a big Battlestar-esque space ship.
Somehow magically me and some other dude was on a smaller ferry ship,
travelling through some worm-hole-like tunnel that was made out of metal.
We landed on some unknown planet, with grass and stone plates laid out in
plaths on the ground. We followed one of the paths and ended up in a
candystore. A girl worked in the candy store. I noticed that they had <i><a href="http://en.wikipedia.org/wiki/Ahlgrens" >Ahlgrens Bilar</a></i>, a
typical Swedish candy, which I found odd for what was presumably an
extrasolar planet. I commented to the shopkeeper girl that I liked that candy,
and she replied that she had never tasted it, and went to do so. Soon she had
eaten all of it, delighted by its taste. I was a bit sad that I got none myself. I
also found it odd that they accepted Earth currency and credit cards, and I
noticed that she had received mail from Earth, with postage stamps from
some Earth country. I even think she had a phone connected to the Earth GSM
network. I asked her about it, and she explained that she was part of an
intergalactical conspiracy, where her kind had infiltraded all layers of society
in, among other worlds, Earth, like in <i>Fight Club</i> but with no
malicious intent. Instead it was just a practical thing to be able to
communicate and trade intergalactically, also in worlds that were not
intergatactically aware yet. I don't remember her name exactly, but I
remember her telling me that if someone wanted to mail her from earth, all
they had to do was address the envelope to "<i>Her name</i> with-the-
Hat" and people of her kind at the post office would make sure that it made
its way to her little candy shop in a completely different part of the galaxy.Mon, 14 Apr 2008 15:16:38 GMT14 Apr 2008http://www.advogato.org/person/pipeman/diary.html?start=45
http://www.advogato.org/person/pipeman/diary.html?start=45<b>shell history statistics</b>
<p> Following <a href="http://varaventtiili.blogspot.com/2008/04/what-does-
your-shell-history-say-about.html" >sti's shell history meme</a>, here are
some meaningless shell history statistics from my home computers. (By the
way - I would've done that one-liner like this: <code>history | awk '{print
$2}' | sort |uniq -c | sort -rn|head</code> - two more pipelines out of
habit.)
<p> <b>My home Mac:</b>
<pre>
$ history|awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}'|sort -rn|head
127 ssh
52 ls
45 ping
32 cd
26 sudo
13 open
12 mount
10 top
10 cat
9 df
</pre>
<p> Surprise: <code>mount</code> - turns out I often use mount without
parameters to see which device a newly attached hard disk appears at.
<p> <b>My Linux gateway box</b>
<pre>
$ history|awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}'|sort -rn|head
47 ls
40 cd
39 screen
38 sudo
24 ps
20 w
19 ping
17 mount
15 cat
14 <a href="http://www.tuxisalive.com" >tuxgdg</a>
</pre>
<p> No surprises, really - I mostly use this box for IRC in a screen session - but
lately also for playing with my <a href="http://www.tuxisalive.com/" >Tux
Droid</a>, hence tuxgdg.
<p> <b>My work laptop (Linux)</b>
<pre>
$ history|awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}'|sort -rn|head
92 sudo
76 ssh
41 echo
38 ping
31 ipsec
22 tail
22 cd
21 ls
16 cat
14 vi
</pre>
<p> This computer is mostly used for remotely connecting to the work VPN (hence
ipsec), and through that connecting to work servers using SSH, and the rest is
done through Gnome or a web browser.
<p> <code>ping</code> appears everywhere, most likely because my ISP is
quite unstable at times. Also, I'm more <code>vi</code> than I thought.Tue, 6 Nov 2007 18:13:57 GMT6 Nov 2007http://www.advogato.org/person/pipeman/diary.html?start=44
http://www.advogato.org/person/pipeman/diary.html?start=44<b>The Big Bang Theory</b>
<p> I started watching <a href="http://imdb.com/title/tt0898266/" >The Big Bang
Theory</a>, a TV-series centred around a few geeks and a hot girl. It's quite
humorous at times, and quite stereotypical all the time. In the second episode,
they are trying to assemble an IKEA media centre piece and one of the guys says
"this is why Sweden has no space program". Of course, as the resident expatriate
Swede I have to set the record straight: <a href="http://www.rymdbolaget.se/?
id=6014" >Sweden has had a space program for 35 years</a> (if not even
longer). It's certainly not big or anything, but at least it's something. :-)
Nowadays they're even <a href="http://www.rymdbolaget.se/?
id=5104&cid=6476&DivId=&Year=2007" >dabbling with commercial space
flight</a> - we'll see how that turns out.Fri, 26 Oct 2007 13:17:16 GMT26 Oct 2007http://www.advogato.org/person/pipeman/diary.html?start=43
http://www.advogato.org/person/pipeman/diary.html?start=43<b>Mac essentials</b>
<p> A friend of mine has been bugging me to compile a list of Mac software so
that he can start using his own Mac properly. So I thought I'll just jot down a
few programs that I find make life with Mac bearable, in no particular order.
<p> <ul>
<li><a href="http://www.adiumx.com/" >Adium X</a> is the most elegant
instant messaging software ever. Comes with Growl integration, of course.
<li>For web browsing, <a href="http://www.apple.com/safari/" >Safari
3</a> is very usable and has all the essential features I need including
tabbed browsing
and type-as-you-find (Mac stylee) plus some other neat goodies such as a
sweet DOM inspector and universally resizable text fields (so that I don't have
to put up
with Advogatos very very small textarea for writing this blog post), although I
still have Firefox lying around for stupid sites that won't work with Safari
(Gmail's
chat, for example).
<li>For Safari: <a href="http://www.inquisitorx.com/safari/" >Inquisitor</a> turns the Safari
search field into a real-time search/suggestion thingy
<li>Also for Safari, be sure to install <a href="http://growl.info/documentation/growlsafari.php" >GrowlSafari</a> to
get Growl integration with Safari. This, for
example, lets me have important RSS feeds in the bookmark bar, and get
Growl notifications when they are updated
<li><a href="http://www.videolan.org/vlc/" >VLC</a> for watching videos
<li> <a href="http://n.ethz.ch/student/naegelic/download/" >QuickTime
XviD Component</a> - so that you can watch those
downl^H^H^H^H^Hmovies ripped
from legally obtained DVDs, in Front Row (tip: Front Row follows symlinks; so
if you download your movies to a location - say /Volumes/BigDisk - other
than
~/Movies, just <tt>ln -s /Volumes/BigDisk ~/Movies/</tt> and you'll be
able to navigate to them in Front Row)
<li>On the same theme, you'll also most likely need <a href="http://trac.cod3r.com/a52codec" >A52Codec</a> to get some audio
stimuli from those movies as
well
<li>For BitTorrent, I use <a href="http://azureus.sourceforge.net/" >Azureus</a> (with the classic UI).
Yes, it <i>is</i> a resource hog, but it is also very
feature-rich. In Azureus, I use the plugin RSSFeed Scanner to subscribe to RSS
feeds with interesting torrents, so it will generally download everything I'm
interested
in automatically.
<li><a href="http://quicksilver.blacktree.com/" >QuickSilver</a> is another
integral part of any modern Mac. It lets you launch applications with just Ctrl-
Space
and the first few letters of the application name. Sleek and handy. It can also
do a gazillion of other things that I've never bothered to learn about.
<li><a href="http://growl.info/" >Growl</a> is one of these tiny additions
that just extends OS X in a natural way. In itself it doesn't do much, but it
gives other
applications a method of giving notifications of important events in an
elegant way.
<li>If you like me use <a href="http://last.fm" >last.fm</a> a lot, then you
will want <a href="http://sourceforge.net/projects/iscrobbler/" >iScrobbler</a>, that
is a bit more lightweight than the official last.fm client. Also, it gives you neat
Growl integration of iTunes
<li>For the UNIX and Linux inclined, there is of course a whole world of good
stuff. A good start is to install the X11 application that comes with Mac OS X,
and
then install <a href="http://finkproject.org/" >Fink</a> or <a href="http://www.macports.org/" >MacPorts</a> (personally, I prefer Fink
because of apt-get
goodness).
<li><a href="http://earth.google.com/" >Google Earth</a> is a good time
waster (but why isn't there a full screen mode?)
<li>For coding I use <a href="http://aquamacs.org/" >Aquamacs
Emacs</a> - however, since I moved over from my old PPC Mac Mini a new
Intel iMac, it refuses to
shut down properly, so I have to kill -9 it manually. I have yet to investigate it,
though, since normally, once I launch Emacs, it stays up until it's time to
reboot the
computer some week later.
<li>To keep track of my computer resource usage, I use <a href="http://www.ragingmenace.com/software/menumeters/" >MenuMeters
</a>
<li>To keep track of my computer's IP adress, I use DynDNS and the
corresponding <a href="http://www.apple.com/downloads/dashboard/networking_security/dy
ndnsupdater.html" >DynDNS Dashboard widget</a>
<li>For backup, I've used <a href="http://www.jungledisk.com/" >Jungle
Disk</a> and Amazon S3, although I am currently considering other options
due to a few
bugs in the exclusion logic in the Jungle Disk backup feature
</ul>
<p> That was the ones I could come up with from the top of my head. Well,
naturally I have lots of other programs installed (hundreds of them being
regular Unix tools
coming from Fink such as ethereal, nmap and tcpdump for network
monitoring and troubleshooting), but these are the most important ones. The
only game I play is
basically the old Command &amp; Conquer Generals, which Aspyr was nice
enough to release an Intel update to, so it plays nicely also on my new iMac.
Most of the time I
spend in OS X's own Terminal application, running irssi or messing around
with shell scripts or other coding stuff (another tip: command-double click
on a URL in
Terminal opens it in a browser). Sun, 8 Jul 2007 03:36:41 GMT8 Jul 2007http://www.advogato.org/person/pipeman/diary.html?start=42
http://www.advogato.org/person/pipeman/diary.html?start=42<b>Vacation</b>
<a href="http://www.flickr.com/photos/pajp/751883126/" title="Photo Sharing" ><img align="right"
src="http://farm2.static.flickr.com/1095/751883126_7b6a33c8f1_m.jpg"
width="240" height="192" alt="mac-on-mac-on-linux" /></a>
<p>
My vacation has started. Of course, that means sitting up
all night getting red-eyed making random hacks. Pretty much
the same stuff as usual, that is.
<p> <p>
I've found myself booting into Linux on my Mac at home more
often nowadays.
Ubuntu 7.04 does quite a good job on my PPC Mac Mini. I
noticed that IBM has a JDK for PPC - and it was even
available in some repository through apt. My two biggest
annoyances to date: Flash and no Compiz or Beryl. The
open-source Flash implementation that is what you'll have to
live with if you're on PPC (Macromedia hasn't released a PPC
version of their own player) can't play YouTube videos
(which is possibly the most important job for Flash on my
computer) and seems to crash the browser occasionally. Also,
web sites that tries to figure out whether you have Flash
installed or not, tend to think that you don't. As to
Compiz/Beryl, I've become so used to having wobbling windows
at work, so when I sit at a Linux desktop without any
desktop effects, it feels all stiff and, well, boring. It's
like rounded corners: it just makes things feel more
natural. I did in fact get some wobbliness out of SUSE 10.1
for PPC, however, the graphics drivers were pretty messy and
my screen ended up with the colours inverted. I eventually
gave up, after many hours of X configuration file editing.
<p>
Another annoyance is the lack of write support for journaled
HFS+ filesystems, which is what most of my disks are
formatted in. I currently haven't yet figured out a good
filesystem that works reliably in both Linux and Mac. I have
lots of media files that I want to access from both
environments, and that doesn't work out too well. Now, I
haven't checked up on the ext2/ext3 support in Mac OS for a
few months, but last time I checked, there was an ext2
filesystem driver for OS X that worked OK, except that it
seemed to often fail to unmount the filesystem cleanly, and
then refusing to mount it on subsequent reboots (as it was
dirty and there was no fsck). For now, I've been using HFS+
for my big media disk - I can at least safely read from it -
we'll see if I totally mess it up if I try writing to it.
For my portable hard disk, I've even used NTFS (since I need
to mount it in Windows and it needs to store virtual machine
images of several gigabytes, so FAT32 is a no-go) and when
needed used ntfs-3g to mount it in both Linux and OS X. Very
slow, but works for dropping files back and forth.